X-Git-Url: https://git.exim.org/exim-website.git/blobdiff_plain/0f73fa0b4ff92ca78defcf79c9ab613fca600975..29ed6255443ddd8c3248415c80201169e4f2e8a4:/templates/static/doc/security/CVE-2019-10149.txt diff --git a/templates/static/doc/security/CVE-2019-10149.txt b/templates/static/doc/security/CVE-2019-10149.txt index b98bcf9..6710d8d 100644 --- a/templates/static/doc/security/CVE-2019-10149.txt +++ b/templates/static/doc/security/CVE-2019-10149.txt @@ -2,7 +2,7 @@ CVE-2019-10149 Exim 4.87 to 4.91 ================================ We received a report of a possible remote exploit. Currently there is no -evidenice of an active use of this exploit. +evidence of an active use of this exploit. A patch exists already, is being tested, and backported to all versions we released since (and including) 4.87. @@ -11,16 +11,21 @@ The severity depends on your configuration. It depends on how close to the standard configuration your Exim runtime configuration is. The closer the better. +Exim 4.92 is not vulnerable. + Next steps: -* t0: Distros will get access to our non-public security Git repo +* t0: Distros will get access to our non-public security Git repo (access is granted based on the SSH keys that are known to us) * t0+7d: Coordinated Release Date: Distros should push the patched version to their repos. The Exim maintainers will publish - the fixed source to the official and public Git repo. + the fixed source to the official and public Git repo. + +t0 is expected to be 2019-06-04, 10:00 UTC +t0+7d is expected to be 2019-06-11, 10:00 UTC -t0 is expected to be 2019-06-04, 10:00 UTC +UPDATE: Details leaked, CRD is re-scheduled to 2019-06-05 15:15 UTC. Timeline @@ -29,16 +34,7 @@ Timeline * 2019-05-27 Report from Qualys to exim-security list * 2019-05-27 Patch provided by Jeremy Harris * 2019-05-29 CVE-2019-10149 assigned from Qualys via RedHat -* 2019-06-03 This announcement - -Updates will follow, here and on -http://www.exim.org/static/doc/security/CVE-2019-10149.txt - - Best regards from Dresden/Germany - Viele Grüße aus Dresden - Heiko Schlittermann --- - SCHLITTERMANN.de ---------------------------- internet & unix support - - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - - gnupg encrypted messages are welcome --------------- key ID: F69376CE - - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ - +* 2019-06-03 This announcement to exim-users, oss-security +* 2019-06-04 10:00 UTC Grant restricted access to the non-public Git repo. +* 2019-06-04 This announcement to exim-maintainers, exim-announce, distros +* 2019-06-05 15:15 UTC Release the fix to the public